The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims

from the but-of-course... dept

While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.

For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.

With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.

Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.

One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.

In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:

“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.

Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:

Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”

I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.

The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:

“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”

Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.

We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.

Re: Re: ...and just as bogus as the claims that frakking is safe.

More snack foods are being created today than at any other time in human history. It's just that the big consumers are seeing less, and the remainder is being transferred to many others. It's not a drought, it is a re-appropriation ... hmmm ... that reminds me of ...

The Bill that will take away more of our Rights will be back to haunt us.As long as there are Republicans and Democrats in Office they will continue to hound us and take away our Rights.They already have again and again so I know what I say is true.
I intend on not Voting for either of these bloated corrupt Parties even if my Vote is considered a wasted one.I am sick of seeing those two Parties in Office.
I hate this Government and the only ways to really change it seems like either a Revolution or to just try and Vote them out.

No smoke, no fire

You know the numbers are bogus because the shareholders of these companies haven't revolted and lynched the board and execs. There have been few, if any, lawsuits filed against these companies for the massive losses.

JP Morgan loses $6 billion with poor trading practices and even though they can pretty easily absorb that loss, execs are fired and the whole company is looking to be re-org'ed.

If American companies, even in aggregate, were losing a trillion dollars, there'd be no end to the news. And yet... we hear nothing of the sort. There's not even a wisp of smoke - so there isn't any fire here.

Re: No smoke, no fire

The number are not bogus. After all, most financial transactions are conducted by computers these days, and look how much money was lost (if not outright stolen) by the likes of Bear Sterns, Goldman Sachs, Fannie Mae, Freddie Mac and the likes.

Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.

I'm actually surprised nobody has actually tried using this line of reasoning to push these bills.

what difference does it make to the politicians and other powerful people? idiots though they may well be, they take notice of this sort of bogus information so they can then introduce or back previously introduced bull shit laws. all they succeed in doing is hurting the people by removing privacy and freedom, hurting other companies that have to spend thousands of dollars conforming to the new, waste of time law and increase the profits of certain security companies. oh, i forgot. those are the same companies the powerful have vested interests in!

Collective Bargaining

Being from Ohio, United States, the concept of representatives at the state government level taking erroneous data from the editorials of major news papers is nothing new to me. I'm not surprised that things at the federal level are the same.

Anyone from the US (especially from Wisconsin or Ohio) would understand this problem very much so. There were several editorial articles that were taken that had data portraying the public school teachers were making more than $50,000 US a year by the end of their careers and tax payer money was being wasted (especially in Ohio...I'll use Ohio because I know how it all went down where I live) on union dues. What did our local law makers do? They took away the rights of the State workers unions to collectively bargain for benefits....it was later repealed by hand written signature. The bill also gave the town council the final word on an individual teacher's wages, not the school board

For those outside the US who might not understand, States are not forced to provide benefits for their workers in the US. Some of them (like Ohio) do not provide medical or health insurance and no pension plan for retirement for public servants such as teachers. Unions were given the right to bargain for said wages and benefits so the teachers could have something to retire upon. With the collective bargaining rights gone, teachers couldn't get a raise when they deserve it. How much of your pay as a public school teacher that went to union dues for retirement was up to the individual.

Needless to say I know all about the issues of senators using eronious figures in editorials to pass bad baseless laws.

It was obvious for me from DAY ONE, that what they used was copyright math, as soon as they said the IP theft is valued at $1 trillion. Do politicians or the NSA really think the whole population is brain-dead or something?

Re:

Re:

Oh not the whole population, just the ruling class.

After all it wouldn't matter a whit if the entire population was filled to the rafters with literal geniuses, so long as the ones who rule are either gullible enough to swallow such blatant lies and falsehoods, or corrupt and paid off enough to go along with the lies.

Re:

No, no, you don't understand. It ain't the populace that's braindead (see response to SOPA, PIPA, ACTA, etc.), it's the Politicians. Their meager brains have been so overwhelmed by all of that green and white stuff, including money, they are inundated with that they can't think. How many sane, rational people do you know that would make the kinds of decisions and judgements that they do? What do you expect?

My thoughts on all this loss stuff is that it most likely parallels losses in the real world. Whether it be music, movies, cyber security breaches or what have you. In any case, in the real world we call it shrinkage. You're gonna have it, It's part of the human condition.

Intensity matching

Here's my view of the political thought process in this case.

Step one: Substitution. >> A difficult question "How much does cybercrime cost?" is replaced with a simpler question "How much do we care about cybercrime?"
Step two: Intensity matching. >> Relative importance of the cybercrime issue is expressed on the monetary scale. A trillion dollars seems like a good match for something that's related to cyber warfare.

How much is the world GDP worth today? According to http://data.worldbank.org/indicator/NY.GDP.MKTP.CD/countries?display=graph it's near 70 trillion. That would make cybersecurity alone cost 1,43% of the world GDP. That's almost 1 South Korea in losses. That's a whole freaking lot. But there are other losses aren't there? There's the MAFIAA losses. There's the losses to natural phenomena (extreme conditions). There's the losses to pollution. There's the losses to corruption. To organized crime. To counterfeiting. Somehow I don't think all the claimed losses along with the very real ones add up in the end.

It's also on par with the amount of money thrown around the world to bail out the "ailing economy" btw. And it's 6,7% of the American GDP.

So when you put the numbers in perspective it sounds much less reasonable (the 1 trillion figure).

It's not the money, dude!

Anyone who tries to absolute $$$ to not only the reality of the threat but the damage already done (which has been clearly documented),is a fool. To throw cyber into the political arena for a contender's benefit is an insult to concerned Americans. Carry on, fools, with your insane use of unsecured WI-FI and hooking up things never meant to be so on the Internet. The next "whoosh" you [might] hear will be that of our infra structure being sucked out by the hep cyber criminals.